Wilma pep proxy and keystone - valid access token not found

Question

I have wilma redirecting valid requests to orion but no messages are reaching it as i always get "Access Token not found" from wilma. The account entered in wilma config file is the admin account of keystone. From openStack API docs i request tokens using below request.

curl -i \
>   -H "Content-Type: application/json" \
>   -d '
> { "auth": {
>     "identity": {
>       "methods": ["password"],
>       "password": {
>         "user": {
>           "name": "userAdmin",
>           "domain": { "id": "default" },
>           "password": "pw"
>         }
>       }
>     }
>   }
> }' \
>   http://130.206.115.xxx:5000/v3/auth/tokens ; echo

I think i get a valid token because direct requests to keystone using curl with x-auth-token work fine.

Then i try to curl from my computer

curl --header "X-Auth-Token:$TOKEN" <ipOfWilma>:80/v2/entities

And get as a answer: "User token not authorized". Wilma reports on console

[TOKEN] Checking token with IDM...
User access-token not authorized
Auth-token not found in request header

Keystone reports the same

"GET /v3/access-tokens/90ecf18114164f98b25668b9a940eb44 HTTP/1.1" 404

Why am i getting this access token not found when going through wilma but not for direct requests?

Edit: I also tried requesting domain scoped tokens but received same error.

Answer 1

Ok, I think I got it. There are 2 things to consider:

1. The error Wilma is returning is Auth-token not found in request header , what makes me think that somehow you are not sending well the --header 'X-Auth-Token: <x-auth-token>' . Make sure your value is getting parsed well (as I see you use a parameter).

2. The token that you retrieve from Keystone, is a keystone token , and not intended for what you need. To access a protected resource, you need to use the Oauth-token . It can be a bit confusing in the beginning, but if you think about it, it all makes sense. Check the Open Specification for better understanding.

So, at this point, I'll assume that you already have configured your APP in the Keyrock instance and that you are able to retrieve both the client_secret and client_id . Now you have 2 ways to retrieve the Oauth Token as stands in the Fi-ware-Idm wiki :

1. Authorization Code Grant . You have a simple example here , just configure the config.js according your requirements.

2. Resource Owner Password Credentials Grant , which is easier to retrieve for simple requests (in my opinion). For this case we have a simple script in bash here . Just make sure you replace the CLIENT_ID , CLIENT_SECRET , and the host (or IP) in the REQUEST according your requirements. Then, just run:

    sh auth-token.sh <user-email> <password> 

And then you should be able to retrieve the token. With that token and, if the resource is authorized in the Authzforce, everything should work.

Finally, if you are into docker and want to give it a try, we have a workaround using docker and docker-compose that uses the Generic Enablers you are working with. For example, you can find here the documentation of PEP Wilma and how to run it (it's very simple).

Let me know if you have any doubts.